Re: capsicum(4): .. and SIGTRAP causing syscall really is in siginfo_t.si_errno?

From: Steffen Nurpmeso <steffen_at_sdaoden.eu>
Date: Thu, 13 Apr 2023 20:41:17 UTC
Hello.

Ed Maste wrote in
 <CAPyFy2D27qRn4i4V7V6Lt4nFq63C6P4HwF5dOgPRE54yeDKvcw@mail.gmail.com>:
 |On Wed, 12 Apr 2023 at 16:34, Steffen Nurpmeso <steffen@sdaoden.eu> wrote:
 |> I think capsicum is very, very smart and capable, like CloudABI
 |> was.  Yet very hard to work with as it needs so many new *at(),
 |> needs to have hooks to modify descriptors after accept(), and
 |> openat(), etc.  And needs user-path <> realpath(3) mappings .. the
 |> way i do it.)
 |
 |Indeed. These limitations all stem from the properties that give
 |Capsicum its security properties (no access to global namespaces or
 |ambient authority). It is "relatively" straightforward to use when
 |incorporated into new software from the beginning, but certainly
 |harder to retrofit.
 |
 |realpath is an interesting case, as in capability mode there is no
 |absolute root directory. All paths are necessarily relative to a
 |directory fd. The Casper fileargs service provides a realpath
 |replacement, but I've also started looking into what a Capsicum-native
 |realpathat would be.

Yes!  I do not know how it can work without actually, like i had
written in the other email.  I mean, if the service shall be able
to re-evaluate its configuration at runtime, with users having the
full flexibility of simply giving a path (in my case files with
allow or block lists, and resource-file chains), then it must be
able to realpath since openat(2) does not allow relative paths nor
absolute paths.
And .. outsourcing that "realpath" thing (as you say), or
performing the entire re-configuration outside the sandbox, seems
a target for those attacks that the capsicum(2) designers had in
mind when designing it that way.  realpathat(2) would be great.

 |> As i am very new with this -- am i correct assuming that once
 |> a capability was set on a directory or listening socket, opened
 |> / accepted FDs inherit the capability of "their parent"?
 |
 |In general, yes. Rights can be removed or subsetted but not added.

Thank you, i had tested that a bit yesterday after the thing did
run, by removing rights from the root FD, .. and yes it worked.

 |> The capsicum(4) and rights(4) etc manuals are
 |> complete, but for someone without any real foreknowledge they miss
 |> some small hints, here and there.  Not that Linux does that
 |> better.  Or OpenBSD, where you need at least one unveil with "some
 |> meat" in order to apply it, even if you simply want no paths at
 |> all.  .. I think.)
 |
 |I think capsicum(4) in particular could use more information, but man
 |pages are always going to be closer to reference material. The initial
 |Capsicum paper is a good read to understand Capsicum's design and
 |approaches that can be taken to refactor existing software:
 |https://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-se\
 |curity-capsicum-website.pdf

2010 even, it came to my mind seeing all these 2013 copyrights,
.. but the anniversary passed aleady.  'Will download it when i am
online again.

 |> I had the impression that casper uses a supervising process.
 |
 |I wouldn't describe it as a "supervising process", but Casper does
 |indeed involve additional process(es). In essence Casper services are
 |performing the same work that an explicitly privilege-separated
 |process would do. With cap_fileargs for example you have one process
 |(that is not operating in capability mode) with access to the
 |filesystem (global namespace). That process opens files, and passes
 |file descriptors to the capability-mode process that performs the
 |work.

Yes.  Ok here it is actually supervising since i need some easy
and portable way to ensure gracefully the logger process
terminates when the actual server process terminates.
(I mean, without an additional communication pipe or something.
The logger simply does blocking reads, and then blocking writes.
Also, like this, he shares the file lock with the actual server,
so no shutdown/startup synchronization problems ever can occur,
portable and easily.  You know .. even though it now has the
special --startup, --status, --shutdown modes, the original idea
was, and that is how i personally use it, that one simply asks it
a question by starting the client, and the client automatically
starts the single instance server if that is not running, and that
configurably times out after so and so much time without any
client.. etc etc etc.
That made me painfully realize that unfortunately UNIX domain
sockets fail their bind(2) with EADDRINUSE if the path exists,
even though if there is no active server bound to them, actually
requiring that additional reassurance lock file the descriptor of
which now is shared, as above.)

I wanted to avoid such very expensive things, like your casper
example, for such a small thing.  I mean, before the sandboxing,
this secondary server took about 800 KB RAM and consumed 0.00
seconds CPU time for over a week of work.  I hate that on Linux
and FreeBSD log messages now go X->OS->logger process out of
sandbox->OS->syslogd->OS and what do i know.  But i never grasped
such also for sound processing, i still worship the FreeBSD sound
device muxer from about twenty years ago, i could record music
with about ~1.5 percent CPU usage on a Cyrix 166+, and easily play
music as some frequency and format conversions were built into the
kernel, simplemost and cheap user space work to get this done. 
(While doing work and compile sessions, without stutter etc, on
a single processor box with slow hard disk!)

 --End of <CAPyFy2D27qRn4i4V7V6Lt4nFq63C6P4HwF5dOgPRE54yeDKvcw@mail.gmail\
 .com>

Thank you, and Ciao!

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)